Connecting a SteelHead with a Gateway
This topic describes how to configure SteelConnect and with a SteelHead CX to add WAN optimization to your SD-WAN deployment. It includes these sections:
The SteelHead SD 570-SD, 770-SD, and 3070-SD appliances deliver the benefits of SteelHead WAN optimization, application intelligence, and SteelConnect SD-WAN while providing the flexibility of a single-box solution. For details, see
Introducing SteelHead SD in the
SteelHead SD User Guide.
SteelHead compatibility
SteelConnect and SteelHead integrate with an automatic and seamless service chain for SD-WAN and WAN optimization, providing SD-WAN to SteelHead CX xx70s (or virtual SteelHeads) and WAN optimization to SteelConnect users. The combined products provide a smooth transition from WAN optimization to hybrid networking to SD-WAN.
One of the powerful features of a SteelConnect gateway is its ability to steer applications over a preferred path, as described in
Directing traffic using traffic rules. A SteelConnect gateway and a client-side SteelHead CX deployed on a local network work together to identify, classify, and steer traffic flows. The SteelHead CX optimizes connections, classifies the traffic, and sends application identification information to the gateway. The gateway selects a traffic path based on the application ID provided by the SteelHead CX and steers the traffic over the selected path.
Gateway and SteelHead CX branch deployment communication
Intelligent path selection is one of the primary benefits of a gateway working with a SteelHead CX xx70. Other benefits include:
•SaaS/cloud acceleration on the SteelHead CX
•WAN optimization with SDR (data compression) on the SteelHead CX
•Web proxy on the SteelHead CX
•Visibility of SteelHead CX optimized traffic across the local network
•Touchless LAN-side SteelHead CX and SCM gateway discovery and connection
•Support for multiple LAN-side SteelHead CXs in a physical in-path deployment
By default, SteelHead compatibility is disabled on the SteelHead CX and disabled globally for an organization in the SteelConnect Manager. SteelHead compatibility is enabled by default on SDI-2030 and SDI-5030 gateways and on the SteelHead SD 570-SD, 770-SD, and 3070-SD appliances.
SteelHead compatibility must be enabled on both appliances for autodiscovery. You can disable SteelHead compatibility on a specific gateway or SteelHead SD appliance within an organization.
To enable SteelConnect compatibility on a SteelHead CX automatically
•Enter this Riverbed command-line interface (CLI) command:
steelhead steel-connect compatibility enable
You can enable or disable SteelHead compatibility for a specific gateway. For details, see
Enabling SteelHead compatibility on the gateway automatically.
For details on SteelHead CX CLI commands, see the Riverbed Command-Line Interface Reference Manual. For details on the SteelHead CX xx70, see the SteelHead User Guide.
The SteelHead gateway connection
A SteelConnect gateway is compatible with a physical or virtual in-path SteelHead CX when the gateway is running SCM 2.5 or later and the SteelHead CX is running RiOS 9.5 or later.
The SteelConnect gateway watches for marked SYN packets from a SteelHead CX. After it sees one, it polls the SteelHead CX for availability. When the SteelHead CX receives a poll from a compatible SteelConnect gateway in the network path, the two appliances form a persistent TCP connection monitored by a heartbeat. The appliances discover each other and connect automatically using a TCP JavaScript Object Notation (JSON) control channel.
After the SteelHead CX connects with a gateway, it uses the Network Services Header (NSH) protocol to send generic routing encapsulated (GRE) metadata to the gateway on the inner connection between the appliances. The metadata preserves the client and server IP address and port numbers in the TCP/IP header fields for optimized traffic in both directions across the WAN. When the gateway receives the encapsulated metadata, it deencapsulates it and selects the best path based on the application information received.
The SteelHead CX and SteelConnect gateway connection automatically disables path selection on the SteelHead CX, and it enables path selection on the SteelConnect gateway. In addition, enabling SteelHead compatibility on the SteelHead automatically turns on application inspection and identification. For details, see
Directing traffic using traffic rules.
If the SteelHead CX connection is lost, the gateway tries to reconnect three times and logs the messages for each attempt. It will try to connect again when it receives another probe from the same SteelHead CX.
Firewalls need to allow the Riverbed TCP option probe
For the SteelHead CX to connect with a gateway, firewalls need to allow Riverbed TCP options. The SteelHead CX can’t locate a gateway if a firewall strips out the TCP options from optimized packets. You can configure the firewall to ignore or prevent stripping out the TCP option. The Riverbed Support site has Knowledge Base articles that show example configurations to allow discovery through different firewall types.
How does the gateway classify traffic flows?
When the gateway receives metadata about traffic flows from the SteelHead CX, it classifies them based on the current available information. It updates classification decisions based on any new information it receives. The gateway processes traffic flows as follows:
•When the gateway receives the application ID for the optimized connection, it uses it to classify the traffic flow according to the traffic rules.
•When the gateway has no information about the optimized connection, the traffic flow reverts to the default traffic rule. The default rule is a catch-all rule that you can edit to fit your needs. See
To create a traffic rule.
SteelHead compatibility limitations
These limitations apply to SteelHead compatibility deployments:
•SteelHead Interceptor deployments are not supported.
•When the SteelHead uses fixed-target rules, WAN optimization works fine; however, the SteelHead can’t apply traffic rules because the gateway doesn’t have visibility into the flow.
Enabling SteelHead compatibility on the gateway automatically
By default, SteelHead compatibility is enabled globally for an organization; this section explains how to reenable it after it has been disabled.
To enable SteelHead compatibility on a gateway automatically
1. Choose Appliances and select an appliance.
2. Select the SteelHead Compatibility tab.
Enabling gateway and SteelHead communication
3. Click On.
4. Click Submit.
Viewing SteelHead connections
After connecting a gateway with a SteelHead, you can view the event log to see more detail regarding when the LAN-side SteelHeads are connected and communicating (or when the connection is dropped).
To view SteelHead connection events
•Select Visibility > Event Log, or click the up arrow at the bottom of the screen and select the Events tab.
Event log reports connect and disconnect events
On the SteelHead, events such as the gateway connecting with the SteelHead appear in the user log. For details, see the SteelHead User Guide.